Shade Ransomware (Oct 7th, 2016)
The Dell Sonicwall Threats Research team have observed a Ransomware Trojan that has been in existence for over a year and is still actively spreading in the wild. It spreads via malicious websites that use exploit kits and also infected email attachments. It is believed to be Russian in origin and has spread mostly in Russia.
Infection Cycle:
The Trojan uses the following icon:
Below is a sample of DNS queries made by the Trojan:
thepieur.comasifroep.comgoudabuy.comdrybloom.comguluchui.com91catdog.comjennywei.comheximdev.comniukouji.comgetvakil.comvotepies.comscan-van.cometest365.comcdxxszjy.comfootypie.comasifroep.comThe Trojan adds the following keys to the registry:
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun Client Server Runtime Subsystem %ALLUSERSPROFILE%Application DataWindowscsrss.exe
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun NetworkSubsystem %ALLUSERSPROFILE%Application DataCsrsscsrss.exe
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun CSRSS %ALLUSERSPROFILE%Application DataDriverscsrss.exe
The Trojan adds the following files to the filesystem:
- %SYSTEMROOT%README1.txt
- %SYSTEMROOT%README10.txt
- %SYSTEMROOT%README2.txt
- %SYSTEMROOT%README3.txt
- %SYSTEMROOT%README4.txt
- %SYSTEMROOT%README5.txt
- %SYSTEMROOT%README6.txt
- %SYSTEMROOT%README7.txt
- %SYSTEMROOT%README8.txt
- %SYSTEMROOT%README9.txt
- %USERSPROFILE%Local SettingsTemp�4C7E0EC.exe [Detected as GAV: FileCryptor.LJR (Trojan)]
- %USERSPROFILE%Local SettingsTempADADBC6C.exe [Detected as GAV: FileCryptor.GAP (Trojan)]
- %ALLUSERSPROFILE%Application DataCsrsscsrss.exe [Detected as GAV: FileCryptor.LJR (Trojan)]
- %ALLUSERSPROFILE%Application DataDriverscsrss.exe [Detected as GAV: FileCryptor.LJR (Trojan)]
- %ALLUSERSPROFILE%Application DataWindowscsrss.exe [Detected as GAV: FileCryptor.LJR (Trojan)]
The readme files contain the following message:
All the important files on your computer were encrypted.To decrypt the files you should send the following code:0E7F1123D9BE734AF274|0to e-mail address Yvonne.Vancese1982@gmail.com .Then you will receive all necessary instructions.All the attempts of decryption by yourself will result only in irrevocable loss of your data.If you still want to try to decrypt them by yourself please make a backup at first becausethe decryption will become impossible in case of any changes inside the files.If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!),use the feedback form. You can do it by two ways:1) Download Tor Browser from here:https://www.torproject.org/download/download-easy.html.enInstall it and type the following address into the address bar:http://cryptsen7fo43rr6.onion/Press Enter and then the page with feedback form will be loaded.2) Go to the one of the following addresses in any browser:http://cryptsen7fo43rr6.onion.to/http://cryptsen7fo43rr6.onion.cab/The links have been blocked at the time of writing this alert.
After each DNS request it makes the following HTTP GET request to each host:
The C&C server is located on the tor network where all communication is encrypted. An RSA-3072 public key is requested from the server:
The Trojan will then search the filesystem for files with predefined extensions and encrypt them using the RSA-3072 public key. Upon encrypting files it renames them using a filename similar to the following with a da_vinci_code extension:
- WY4BA86OCcwPVkbdji2JiS888iAqO7jOnXtXvJtekBU=.0E7F1123D9BE734AF274.da_vinci_code
After encrypting these files it displays the following message on the desktop background:
SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:
- GAV: Shade.A (Trojan)
- GAV: FileCryptor.LJR (Trojan)
- GAV: FileCryptor.GAP (Trojan)
